This topic is far away from new and you will find a lot of tutorials on the net. But as I already said before I lack a sort of baked recipes and central point for things. So if want the originals from this baked recipes go here and here and for the official LUKS page here
So first of all what I really need to encrypt are the following partitions:
/home
/var
/etc
swap
You can simplify by encrypting everything except /boot (ok, you may also encrypt that but I do not see the point and did not try it).
The main issue about disk encryption resides in disk performance specially by removing things (which includes moving from and to file systems). So if you really need some juicy speed upped partition I recommend to have a plain ext2/ext3 partition by the end of the disk (as closer to the out border of the disk as quick things get done, it does not apply for SCSI disks).
That said, the reasons you want to encrypt swap is to ensure that no one will eventually forces an swap attack on you (forcing the system to drop some sensitive data on the swap partition and then read them out). The /var is also important because there are the system logs and if you are a not that security freak you will eventually mix things up and type your password instead of username (which will be registered in the security log). The /etc is for the sake of it (you do not need it if you keep a safe check sum of all files there and check it before turning your network connection on, hehe). The last, but not the least, your precious /home and you know why you need it (as also RIAA).
The problem with Fedora 9 out-of-the-box procedure is that it does not randomizes the disk before encrypting it (which is important but takes a lot, but a LOT of time) and it is understandable for a installation procedure. But you want security so you want to do things right. Before you start doing things keep that in mind: you need time, a lot of time. For my SATA disk in a Pentium 4 3.2GHz the speed was about 3M/s, doing the math:
1GB ~ 6min.
10GB ~ 1h
50GB ~ 4h 45min.
100GB ~ 9h 30min.
150GB ~ 14h
200GB ~ 19h
250GB ~ 24h
300GB ~ 29h
512GB ~ 2days
1TB ~ 4days
If you know a speed upped procedure, please tell me. The speed problem is not on the disk but on the random generation, so it is unlikely to change for a notebook (if you getting nervous about that).
So the procedure is the following for a data partition and swap. But first of all (and that is VERY important) copy this text in text file and save it in your root partition (I really meant /) because you will need to shutdown your X11 AND network connections.
1. Do backup of your partition, you will lost everything.
2. Really, DO a backup, you will regret it later if you don't (you can use the FlyBack)
3. Save this text on text file in "/";
4. Logout and switch to a terminal (<CONTROL>+<ALT>+<F1> should do it) and log on as root;
5. Execute the following commandos:
5.1. Runlevel 1:
#---
telinit 1
#---
5.2. Note somewhere which is the real partition that you want to encrypt:
#---
mount | grep home
#---
It should return something like: /dev/sdaXX or /dev/hdaXX
If it returns something /dev/mapper/SEC_DEV it means that your partition was previously encrypted and you will need the real device.
5.2.1. Dealing with encrypted devices:
#---
cat /etc/crypttab | grep SEC_DEV
#---
Here you should get the real partition name.
5.3. /home:
#---
fuser -mvk /home
umount /home
#---
5.4. Verify if it was really unmounted:
#---
cat /proc/mounts | grep home
#---
5.4.1. If you have a previously encrypted partition you need this step (I'm confident that you do have a safe backup):
#---
cryptsetup remove SEC_DEV
#---
Note that I do NOT included the whole path (/dev/mapper/SEC_DEV)
5.5. Fill the partition with random data (this is the point where you must be sure you have a backup):
#---
dd if=/dev/urandom of=/dev/REAL_DEV
#---
The REAL_DEV is the same from step 5.2.
Note that the above command will end with and "out of space" error, do not worry about it.
5.6. Let LUKS know about your new partition.
#---
cryptsetup --verbose --verify-passphrase luksFormat /dev/REAL_DEV
#---
5.6.1. Open it:
#---
cryptsetup luksOpen /dev/REAL_DEV SEC_DEV
#---
SEC_DEV is a string you like. Fedora standard is luks-REAL_DEV (like luks-sda6 for /dev/sda6).
5.6.2. Verify it is everything there:
#---
ls -l /dev/mapper | grep SEC_DEV
#---
5.7. Create the file system:
#---
mkfs.ext3 /dev/mapper/SEC_DEV
#---
5.8. Mount it, to check it out:
#---
mount /dev/mapper/SEC_DEV /home
df -h | grep home
#---
5.9. Edit your /etc/crypttab and include the following line:
SEC_DEV /dev/REAL_DEV none
[update]
5.10. Collect your UUID for the /etc/fstab:
NOTE: The method with cryptsetup does NOT work in reencrypted partitions, so prefer the tune2fs method.
#---
cryptsetup luksUUID /dev/REAL_DEV
#---
#---
tune2fs -l /dev/mapper/SEC_DEV | grep UUID
#---
[update]
It must throw something like: c3119452-5a93-49bb-9c91-28d75a830a18
5.10.1. Alternatively you can already throw it in your /etc/fstab (but be careful to include the two ">":
[update]
#---
tune2fs -l /dev/mapper/SEC_DEV | grep UUID >> /etc/fstab
#---
[update]
5.11. Edit your /etc/fstab to include the following line (removing any other existing line that refers to /home):
UUID=<YOUR UUID> /home ext3 defaults 1 2
or
/dev/mapper/SEC_DEV /home ext3 defaults 1 2
5.12. Verify again:
#---
umount /home
mount /home
#---
5.13. Restore SELinux contexts:
#---
/sbin/restorecon -v -R /home
#---
6. Now the swap partition, which is a little bit different:
6.1. Identifying the partition:
#---
swapon -s
#---
6.1.1. If it turns out to be an encrypted partition, follow the step 5.2.1.
6.2. Turn off the swap (unmount the partition):
#---
swapoff -a
#---
6.3. Repeat the steps 5.4.1. (if you need) and 5.5.
6.4. Let LUKS knows about the new partition:
#---
cryptsetup create SEC_DEV /dev/REAL_DEV
#---
Here you will get the UUID for this device, note it somewhere. Or use the cryptsetup method from step 5.10 (because it is NOT a data file system it is the only way and it works, but just for swap partitions).
6.5.1. Open it: (step 5.6.1)
6.5. Make it swap:
#---
mkswap /dev/mapper/SEC_DEV
#---
6.7. Edit your /etc/crypttab (step 5.9.).
6.6. Edit your /etc/fstab to include the following line:
UUID=<YOUR UUID> swap swap defaults 0 0
or
/dev/mapper/SEC_DEV swap swap defaults 0 0
6.7. Check it:
#---
swapon -a
swapon -s
#---
7. Reboot your system:
#---
shutdown -r now
#---
Your passphrase will be asked at boot time and after everything is running restore your backup.
Have fun!
No comments:
Post a Comment